Security Center

Kromtech Security Cybersquatting Research

2018-05-24

By Security Center

Kromtech Security Center found that almost 6,800 out of 19,411 active domains squatting on the top 500 most visited domains contain malicious content.

An accidental visit to one of these sites may cause the loss of any of your personally identifiable information stored in your browser, the interception of your credentials as you type them, installation of malicious software, silent spying on your internet activity, and possibly compromise your computer, phone, tablet, or other Internet-connected device.

Cybersquatting Is a Threat to You

Cybersquatting is a real threat for the Internets Average Joe.

This research is concentrated around the users and their risk on the World Wide Web. Patterns described here show the dark side of squatted domains, which cause disruptions, stolen data, malware, unwanted programs, unwanted pop-ups, and more.

We are going to explain here why its so important for regular users to be aware of the threats related to cybersquatting; showing you how vast a threat cybersquatting represents, how to detect it, and how to defend the best you currently can against it. Its our second article about cybersquatting, our first was more corporate focused, you can find it here.

Can you find differences on these links? Which one lookslegitimate for you? Could you find the right one on your phone? Please don't try to put them in your browser.

facebook.cm

fac3book.com

faceb0ok.com

fecebook.com

facěbook.com

faceb00k.com

façebook.com

fàcebook.com

fbme.me

Correct answer: none of them are legitimate.

Covering the links above, youll probably only see facebook.com as the link name, but the actual embedded hyperlink may contain the cybersquatted domain name, which can forward you to the potentially malicious site. Why didnt you see anything suspicious? Because the font used is confusing.

The example below shows how malicious links which forward to cybersquatted domains might be hidden behind the correct domain name label.

You can see that the link looks like facebook.com, but there is a slight variation in the c in the embedded hyperlink, would you have checked and noticed? How about on your phone or tablet?

What is Cybersquatting?

Registering a confusingly similar domain name in bad faith with the intention of profiting off the Trademark of another

Profit comes from hijacking traffic meant for another site

Hijacked traffic can be redirected to pages full of ads, the sale of products, selling the domain name, or malicious acts

Our previous part contains a lot of information on how to defend against cybersquatting as a company, but here were going to talk more about how it affects you as an everyday user of the Internet since your everyday Internet routine can lead you to scam hyperlinks, which can subject you to attack.

Cybersquatted domains can contain a plethora of malicious javascript code that can:

Collect your browser fingerprints

Steal autofill form entries from your browser

Steal your credentials as you type them

Open unwanted pop-ups

Redirect you to an unexpected site

Change your browser settings

Install malicious software

Spy on your Internet activity

Compromise your computer, phone, tablet, or other Internet devices

Perform other malicious acts

Can you easily recognize cybersquatting?

The short answer is no, not easily.

You can fall victim if:

You accidentally type a domain address wrong or remembered the address incorrectly

You clicked on a link before you checked its embedded hyperlink

You end up redirected someplace you did not expect

You could not really see the link content on a device with a smaller screen and followed it

How big is the problem?

There is major concern about the large number of users that are intercepted by these links. The security community certainly isnt sleeping on this issue and on April 4, 2018, Matthew Chambers released an article on krebsonsecurity.com which gave us some insight into the quantity of mistyped traffic on some “.cm” domains (a common typo for domains that typically end with “.com”).

Matthews results were gathered from 155 domains and filtered out traffic from search engine robots. Everyone was shocked to see nearly 12 million visits of the mistyped the “.com” during just three months, from Jan - Mar of 2018. That is almost 50 million visits per year.

This made us wonder how much of this was malicious to us, so we decided to find out. We cant even imagine how much traffic would be captured using the scope of our research, so well show it only for particular cases.

We found quite a number of active similar domains for each. In Figure 1 you can see the count of active similar domains for the Top 500 most visited resources. Each star represents a company and the number of similar domains already registered for them.

Figure 1. Quantity of similar registered domains found per original domain from Top 500 most visited web page. Full-size image URL

As you can see here, there is a wide range of similar domains currently registered using just a portion of the total data; from just a few to 715 (hospedagemdesites.ws). With all the data we analyzed still only being a subset of the total domains available, and depending upon the length of the original domain, there are far more than this out there.

The left side of Figure 2 represents the results of our automated analysis, obtained using dnstwist along withour Python scripts. The right side of Figure 2 represents the results of our manual analysis of the data.

Automated analysis:

The automated results turned up 27,310 possible permutations within our list; of which 4,742 were found unreachable (or down), 3,157 were registered by the original domain owner, and there were 19,411 active cybersquatted domains.

The automated process then took the active cybersquatted domains and further analyzed them, finding that of the 19,411, 35% triggered at least one of our scripted detections.

The totals (which includes duplicate detections): 5% of them triggered a detection on VirusTotal, 0.5% contained malicious files, 20% of them detected input forms (forms such as these can be used to steal credentials), and 18% contained a mention of the original domain (Phishing).

For our manual analysis we did a few things differently:

We took the same dataset of 19,411 active squatted domains and sorted them by their final redirect links.

We aggregated and sorted that list by the number of occurrences of the redirect links.

This gave us a symbolic list of Top 100 redirects from squatted domains.

We manually parsed through these to determine how to classify them. We looked for malicious redirects from content or ads, software, miners, and suspicious links with strange or empty content.

In total, we manually analyzed nearly 900 active squatted links, which is only 4,6% of our initial scope.

As you can see on the right side of Figure 2, which represents our manual analysis, we found that 71.7% were not harmful (well, to us anyway, they are probably stealing revenue from the original domain owner) and 28.3% percent were potentially malicious to us. That means that nearly 30% of currently active cybersquatted domains are potentially malicious to end users. That is a very large number when scaled!

Its important to note the differences in automation versus manual. There is a larger possibility of false positives and/or false negatives with automation, scripts cannot interpret as the human brain does. We also took a further step than our automation, in sorting by final destinations. So we should expect our automated number to be different than what we get manually and that our manual classification should be a much more accurate representation of the threats.

Its interesting to note here that by aggregating on final destinations, we get a glimpse into the industries involved in the cybersquatting business.

The destination matters here: where are we led?

An analysis of the top redirected links shows us whos using cybersquatting to steal users from mistyped or phished URLs. Figure 3 below shows the destinations for the top 35 of them based on their occurrence. We included the parameters within the URLs because without them they may have other behavior (ie. different redirects, attacks, or page displayed). The behavior may vary depending on time zone, browser, country, and browser extensions or plugins used. We strongly recommend that you DONT visit them with your web browsers. For our manual analysis, we used Chrome and Firefox on Windows 7 and Ubuntu.

From our results, we find that 64 squatted domains are pointed to searchinquire.com

http://www.searchinquire[.]com/?dn=searchfusion[.]com&pid=9POK8YGH5

Of note,

The pages are not indexed by search engines

They contain only ads to specific domains (their partners)

The ads are shown based upon a parameter in the URL.

Any click on searchinquire.com redirects you to the same page or to their “partners”

Without any parameters, we find that it opens a page which gets nearly 40,000 daily page views.

The first results displayed by Google for searchinquire show articles about removing the searchfusionbrowser redirect/hijacker virus. Picking one of those results, for example from 2-viruses, we can see that they are well-known for their malware.

What is a browser hijacker?

A browser hijacker is an unwanted form of software that modifies your web browser in any number of the following ways:

There are also many posts on Google+ and Facebook with no reasonable content, but contain links or redirects to searchinquire and searchfusion, indicating that accounts may have been compromised via hijacked redirects and users had their credentials stolen and accounts used. For additional references: https://plus.google.com/s/searchinquire.com/top

#2 and #4 in our list both lead to very mysterious pages, redirects from 121 cybersquatted domains

#5 leads to Shopify.com with the referral parameter “mvm”(apparently bought by 3rd party services).

https://www.shopify.com/?ref=mvm

40 redirects in total

#6 leads to different domain registrars, with 160 redirects, which is 17.9% of the 900 destinations we manually checked.

Most of the domain registrars know about cybersquatting and will try to get the maximum price from the original owners or companies. The most similar domain names will cost the most - the price can vary from $10 to $20,000 per domain.

Deep analysis of cybersquatted links

What we noticed through a more detailed analysis of cybersquatted links:

Most of them are not indexed by Google or other search engines.

Dark patterns of traffic aggregation are typically used for fast income and ads, where page views equals money.

Ads appear to be the main purpose of registering such domains

If the cybersquatted domain looks the same or nicer than the original one, the user can be lost due to targeting.

Current regulations regarding ad content and ad providers cannot defend against this type of hijacking.

Many were targeted phishing campaigns that use and drop the resource.

We also found widespread phishing campaigns, designed to affect a large number of users.

One of the indicators of a massive scale attack is the occurrence of stolen data on the Dark web marketplaces.

Another indicator is strange activity on social media: we noted occurrence of the odd posts on Google+ and Facebook with no reasonable content but contained links or redirects to searchinquire and searchfusion.

We also discovered that the majority of companies that are registering the most similar domains are only doing so to avoid the following risks:

Hijacking leads from their web stores

Phishing

A software download from mistyped resource

Below, in Figure 4, you can see the distribution of the total number of similar domains registered per domain vs. the similar domains registered by the original domain owner

Figure 4. Total similar domains registered per company domain vs. similar domains registered by original domain owner. Full-size image URL

We used the total number of similar domains registered per company domain vs the similar domains registered by the original domain owner to plot trend lines.

We discovered that the average trendline of registered similar domain names is around 15%, which shows that not many companies are taking this threat seriously. Maybe they cannot afford to do so, are ignoring the threat, or just dont know about it. In fact, most of the companies we analyzed are at the bottom of this chart, they have not registered many similar domain names.

This is a huge threat! The risks of cybersquatting are important with all sites but may be most relevant to news resources, e-commerce, banking, social media, online apps (including email), software download sites, and, frankly, any site that requests personal information or a login and password. Attackers use these cybersqatted domains to lure and entice those who mistype the real domain or were tricked into clicking a link. They are hijacking you, annoying you with popups, stealing your money, your credentials, and/or compromising your computer, phone, or tablet.

Figure 5. Percent of similar domains registered by the original domain owner. Full-size image URL

Companies within the Moz Top 500 that appear to care the most about cybersquatted domains, but mainly for their own reasons.

Company

Area of use

Risk related to cybersquatting

Elegantthemes.com

Media content

Clients loss by redirects to other resources

Twitch.tv

Streaming

Phishing

Engadget.com

Media content

Clients loss by redirects to other resources

Istockphoto.com

Media content

Clients loss by redirects to other resources

Amazon

E-commerce

Phishing

Teamviewer.com

Software

Malicious software Phishing

Whatsapp, even being on the bottom of the graph, has somewhat avoided these risks by changing their authentication mechanism on their Web service. Now you can only enter the service by scanning the QR code from web.whatsapp.com, but users should still be properly informed of greater risk mitigation:

Phishing pages still exist, here is a Whatsapp phishing page for Iranian users, where its completely restricted:

This particular phishing page asks for a phone number. Triggering only on Iranian phone numbers, it then asks for an activation code, and finally redirects to a phone input page.

Cybersquatting cases in details

In Figure 6 below, we have a face to face comparison of the current state of similar websites for Facebook and for WhatsApp

We found that 33.8% of the links to Facebook and 16.7% of the links to WhatsApp contain malicious content!

Because we analyzed 27,310 cybersquatted links, weve done some bonus infographics. The detailed infographic of all would be incomprehensible, so we made a simplified version with a few selected popular companies for a better perception of the overall threat. See Figure 7 below and understand that it is still the only representative of a very small minority of the total number of domains out there, think scale!

Red and Grey in Figure 7 are currently active potentially malicious cybersquatted domains! It is even more frightening if we aggregate them using the 7 categories analyzed with Facebook and WhatsApp (think scale again):

Tools weve used to detect cybersquatted domains

We are always looking for ways to improve our code and reduce false positives, your suggestions are most welcome on our GitHub repository.

Tools to defend yourself against cybersquatting

Cybersquatting is a very serious threat to you. It is used for various nefarious purposes including serving malicious software, phishing, malvertising, stealing your credentials, hijacking your browser, spying on your Internet activity, or more.

While we noted in our previous article that companies should protect themselves by registering, at the very least, the most obvious and similar-looking domains, but there isnt much available to protect us, regular users.

We must protect ourselves and be aware of this threat:

Closely check the URLs you type or click, and do not click on ads or links from suspicious sites, emails, or other sources.

Remain extra vigilant on smaller devices like phones and tablets, it can be difficult to see the differences on them, and those devices are being targeted.

For more advanced users there are resources where you can check the link for phishing (urlscan.io being the most useful).

While these resources can help you detect a phishing page and report it so that it gets blocked automatically in all major browsers, URL shorteners, and antivirus packages, the results are not 100% correct and many of these services are still in beta.

Even though popular apps or services, like Gmail, as an example, may warn you about suspicious links in the text, you still must remain vigilant, their detection measures may not detect everything and new vulnerabilities are frequently found.

So, no Google, we should not just be careful with the messages you detected, we should always be careful!

For example, the researchers at Avanan recently disclosed baseStriker on May 8, 2018, a phishing methodology that affects 100M Microsoft Office365 users.

The attack is fairly simple and sends a malicious link, that would ordinarily be blocked by Microsoft, past their security filters by splitting the URL into two snippets of HTML: a base tag and a regular href tag. You can check out the full post and video explanation here

Microsoft has fixed the vulnerability after 14 days

Conclusions

There are a vast number of active, malicious links out there right now!

End users are at risk even more so than companies. While products exist to help protect, none can protect all. Many of the existing security products have static data sources, either without a rescan or with an inefficient rescan of the link.

You cant completely trust the results of these sites and apps, because yesterday there may have been cute kittens on that link and today you might get a Phish or Trojan from the same link.

Because of this, we cannot currently recommend a usable and simple product to avoid these squatted domains. Your Antivirus can block a part of them, but if the link changes its content, and nobody reports it, you may still fall prey to a new phishing campaign or even catch some malware.

All of this means that it is mainly up to you to protect yourself.

Definitely, use the tools currently available, do not follow links from unknown or unexpected sources, and carefully examine any link you receive before visiting it. From our research here you know that the threats you face are immense if you are not careful.

Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.